Objective of the day?
We’ll be setting up an IPSec VPN tunnel between Microsoft Azure and a development/management environment using commodity internet connection of a Belgian ISP.
What will our test environment look like?
- Private Network : 192.168.0.0/24
- System running Openswan : 192.168.0.226
- Private Internet Connection : 18.104.22.168
- Azure VPN Gateway : 22.214.171.124
- Test System on Azure : 10.0.0.4
- Azure Network : 10.0.0.0/24
The steps we’ll be going through?
- Configure Virtual Network on Azure
- Configure VPN Gateway
- Configure Openswan
- Configure NAT Rules on the ISP (Telenet) Router
- Activate IPSec VPN Tunnel
- Test Connectivity
Configure Virtual Network on Azure
First we’ll be creating the Azure network. Browse to “Network Services”, “Virtual network” and then “Custom Create”
Now we’ll be defining a new “local” network. The term local is seen from “your perspective”, being the network outside of Azure.
Here we’ll enter the external IP address of your own router as the “VPN Device IP Address” and the “address space” will contain the subnets you have on your own internal network.
Press the “V” to acknowledge your settings, and the virtual network will be created (which may take a while).
Configure VPN Gateway
Now Azure will prompt you to ask if you are sure. The reason behind this, is that a VPN gateway comes with a cost (~12€ + bandwidth / Month).The gateway will be created. This action will take quite some time… This is a good time for a coffee/tea/smoke/snack/… or whatever kind of … break you want. 🙂
Now that the gateway has been created, the “gateway ip address” is shown ; 126.96.36.199. Note this down, as we’ll be needing it later on… Next up is to press the “Manage Key” link down below, so we can see the “private key”. We’ll be needing this to in order to bring up the tunnel.
A lot of “my mustard” came from the following post ; http://serverfault.com/questions/627637/azure-site-to-site-vpn-with-a-linux-based-router-to-bridge-the-vpn-ports-to-a-rr
First let’s install Openswan ;
sudo apt-get install openswan uml-utilities chkconfig
Add the following to your /etc/sysctl.conf
#ipsec vpn tweaks (kvaes) net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
Edit your /etc/ipsec.conf config file as following ;
root@raspberrypi:~# cat /etc/ipsec.conf version 2.0 config setup nat_traversal=yes virtual_private=%4:192.168.0.0/24 protostack=auto interfaces="ipsec0=eth0" conn azure authby=secret auto=start type=tunnel left=192.168.0.226 leftsubnet=192.168.0.0/24 leftnexthop=192.168.0.1 right=188.8.131.52 rightsubnet=10.0.0.0/24 ike=3des-sha1-modp1024,aes128-sha1-modp1024 esp=3des-sha1,aes128-sha1 pfs=no
The “left”-side is your internal network and the “right”-side it the Azure side. As the “right”, write the ip address of your Azure VPN Gateway. As the “left”-side”, write the ip address of the device running Openswan.
Now edit your /var/lib/openswan/ipsec.secrets.inc file ;
root@raspberrypi:~# cat /var/lib/openswan/ipsec.secrets.inc : RSA /etc/ipsec.d/private/raspberrypiKey.pem 192.168.0.226 184.108.40.206: PSK "myLTd29MyPrivateKeyVPtV6f"
The first ip is your “left”, the second your “right, and between quotes you enter your private key.
And now restart your ipsec VPN tunnel ;
root@raspberrypi:~# /etc/init.d/ipsec restart
Configure NAT Rules on the ISP (Telenet) Router
Browse to the admin page of your router. For T, this will be : https://mijn.telenet.be/ and navigate to the advanced settings. On the “network” tab, you can review your internal lan subnet and also the external address (“220.127.116.11”, as a reference).
Now browse to “IPv4 Firewall & Port Forwarding”, and we’ll be adding 4 additional NAT rules ;
- Port 500 : For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
- Port 4500 : ESP packet will be encapsulated inside a UDP/4500 packet.
- Port 50 : For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
- Port 51 : For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
Direct the NAT rules to the system that will host Openswan (in this example; 192.168.0.226). Now configure the NAT rules, and when you are done… press “Save”. Now you are good to go in terms of the firewall NAT rules.
If you want to test if the ports are working, and you do not have an external machine available, then you can use a tool like ; http://www.yougetsignal.com/tools/open-ports/
Activate IPSec VPN Tunnel
So far so good! Now let us test… Let’s ping the subnet from our own gateway ;
root@raspberrypi:~# ping 10.0.0.0 PING 10.0.0.0 (10.0.0.0) 56(84) bytes of data. 64 bytes from 10.0.0.0: icmp_req=1 ttl=127 time=16.8 ms 64 bytes from 10.0.0.0: icmp_req=2 ttl=127 time=14.6 ms 64 bytes from 10.0.0.0: icmp_req=3 ttl=127 time=14.4 ms 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 14.480/15.333/16.882/1.106 ms
We receive packets… Now I’m going to start up a test system on my Azure network;
root@raspberrypi:~# ping 10.0.0.4 PING 10.0.0.4 (10.0.0.4) 56(84) bytes of data. 64 bytes from 10.0.0.4: icmp_req=1 ttl=63 time=17.3 ms 64 bytes from 10.0.0.4: icmp_req=2 ttl=63 time=15.6 ms 64 bytes from 10.0.0.4: icmp_req=3 ttl=63 time=15.6 ms 64 bytes from 10.0.0.4: icmp_req=4 ttl=63 time=14.8 ms 64 bytes from 10.0.0.4: icmp_req=5 ttl=63 time=14.5 ms --- 10.0.0.4 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 14.506/15.582/17.318/0.986 ms
Now let’s try to connect to it…
root@raspberrypi:~# ssh firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-75-virtual x86_64) * Documentation: https://help.ubuntu.com/ System information as of Mon Jan 26 10:04:19 UTC 2015 System load: 0.24 Processes: 92 Usage of /: 3.1% of 28.83GB Users logged in: 0 Memory usage: 5% IP address for eth0: 10.0.0.4 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 0 packages can be updated. 0 updates are security updates. New release '14.04.1 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Sun Jan 25 18:04:30 2015 from 192.168.0.226 To run a command as administrator (user "root"), use "sudo
And now let’s do the ping the other way…
myusername@KVAESTEST02:~$ ping 192.168.0.226 PING 192.168.0.226 (192.168.0.226) 56(84) bytes of data. 64 bytes from 192.168.0.226: icmp_req=1 ttl=63 time=15.6 ms 64 bytes from 192.168.0.226: icmp_req=2 ttl=63 time=15.2 ms 64 bytes from 192.168.0.226: icmp_req=3 ttl=63 time=17.7 ms --- 192.168.0.226 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2010ms rtt min/avg/max/mdev = 15.202/16.204/17.799/1.140 ms
So everything works! Happy VPN-ing… 😀
What was the cost of this labo test?